Configure sign-in enforcement

Table of contents
Subscription: Team Business
For: Administrators

You can enforce sign-in for Docker Desktop using several methods. Choose the method that best fits your organization's infrastructure and security requirements.

Choose your method

MethodPlatform
Registry keyWindows only
Configuration profilesmacOS only
plist filemacOS only
registry.jsonAll platforms
Tip

For macOS, configuration profiles offer the highest security because they're protected by Apple's System Integrity Protection (SIP).

Windows: Registry key method

To configure the registry key method manually:

  1. Create the registry key:

    $ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Docker\Docker Desktop

  2. Create a multi-string value name allowedOrgs.

  3. Use your organization names as string data:

    • Use lowercase letters only
    • Add each organization on a separate line
    • Do not use spaces or commas as separators

  4. Restart Docker Desktop.

  5. Verify the Sign in required! prompt appears in Docker Desktop.

Important

You can add multiple organizations with Docker Desktop version 4.36 and later. With version 4.35 and earlier, adding multiple organizations causes sign-in enforcement to fail silently.

Deploy the registry key across your organization using Group Policy:

  1. Create a registry script with the required key structure.
  2. In Group Policy Management, create or edit a GPO.
  3. Navigate to Computer Configuration > Preferences > Windows Settings > Registry.
  4. Right-click Registry > New > Registry Item.
  5. Configure the registry item:
    • Action: Update
    • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Docker\Docker Desktop
    • Value name: allowedOrgs
    • Value data: Your organization names
  6. Link the GPO to the target Organizational Unit.
  7. Test on a small group using gpupdate/force.
  8. Deploy organization-wide after verification.
Requires: Docker Desktop 4.36 and later

Configuration profiles provide the most secure enforcement method for macOS because they're protected by Apple's System Integrity Protection.

  1. Create a file named docker.mobileconfig with this content:
     <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
   <dict>
     <key>PayloadContent</key>
     <array>
       <dict>
         <key>PayloadType</key>
         <string>com.docker.config</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>PayloadIdentifier</key>
         <string>com.docker.config</string>
         <key>PayloadUUID</key>
         <string>eed295b0-a650-40b0-9dda-90efb12be3c7</string>
         <key>PayloadDisplayName</key>
         <string>Docker Desktop Configuration</string>
         <key>PayloadDescription</key>
         <string>Configuration profile to manage Docker Desktop settings.</string>
         <key>PayloadOrganization</key>
         <string>Your Company Name</string>
         <key>allowedOrgs</key>
         <string>first_org;second_org</string>
       </dict>
     </array>
     <key>PayloadType</key>
     <string>Configuration</string>
     <key>PayloadVersion</key>
     <integer>1</integer>
     <key>PayloadIdentifier</key>
     <string>com.yourcompany.docker.config</string>
     <key>PayloadUUID</key>
     <string>0deedb64-7dc9-46e5-b6bf-69d64a9561ce</string>
     <key>PayloadDisplayName</key>
     <string>Docker Desktop Config Profile</string>
     <key>PayloadDescription</key>
     <string>Config profile to enforce Docker Desktop settings for allowed organizations.</string>
     <key>PayloadOrganization</key>
     <string>Your Company Name</string>
   </dict>
 </plist>
  2. Replace placeholders:
    • Change com.yourcompany.docker.config to your company identifier
    • Replace Your Company Name with your organization name
    • Update the allowedOrgs value with your organization names (separated by semicolons)
  3. Deploy the profile using your MDM solution.
  4. Verify the profile appears in System Settings > General > Device Management under Device (Managed) profiles.

macOS: plist file method

Use this alternative method for macOS with Docker Desktop version 4.32 and later.

  1. Create the file /Library/Application Support/com.docker.docker/desktop.plist.
  2. Add this content, replacing myorg1 and myorg2 with your organization names:
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
      <key>allowedOrgs</key>
      <array>
          <string>myorg1</string>
          <string>myorg2</string>
      </array>
  </dict>
</plist>
  3. Set file permissions to prevent editing by non-administrator users.
  4. Restart Docker Desktop.
  5. Verify the Sign in required! prompt appears in Docker Desktop.

Create and deploy a script for organization-wide distribution:

#!/bin/bash

# Create directory if it doesn't exist
sudo mkdir -p "/Library/Application Support/com.docker.docker"

# Write the plist file
sudo defaults write "/Library/Application Support/com.docker.docker/desktop.plist" allowedOrgs -array "myorg1" "myorg2"

# Set appropriate permissions
sudo chmod 644 "/Library/Application Support/com.docker.docker/desktop.plist"
sudo chown root:admin "/Library/Application Support/com.docker.docker/desktop.plist"

Deploy this script using SSH, remote support tools, or your preferred deployment method.

All platforms: registry.json method

The registry.json method works across all platforms and offers flexible deployment options.

File locations

Create the registry.json file at the appropriate location:

PlatformLocation
Windows/ProgramData/DockerDesktop/registry.json
Mac/Library/Application Support/com.docker.docker/registry.json
Linux/usr/share/docker-desktop/registry/registry.json

Basic setup

  1. Ensure users are members of your Docker organization.
  2. Create the registry.json file at the appropriate location for your platform.
  3. Add this content, replacing organization names with your own:
    {
   "allowedOrgs": ["myorg1", "myorg2"]
}
  4. Set file permissions to prevent user editing.
  5. Restart Docker Desktop.
  6. Verify the Sign in required! prompt appears in Docker Desktop.
Tip

If users have issues starting Docker Desktop after enforcing sign-in, they may need to update to the latest version.

Windows (PowerShell as Administrator)

Set-Content /ProgramData/DockerDesktop/registry.json '{"allowedOrgs":["myorg1","myorg2"]}'

macOS

sudo mkdir -p "/Library/Application Support/com.docker.docker"
echo '{"allowedOrgs":["myorg1","myorg2"]}' | sudo tee "/Library/Application Support/com.docker.docker/registry.json"

Linux

sudo mkdir -p /usr/share/docker-desktop/registry
echo '{"allowedOrgs":["myorg1","myorg2"]}' | sudo tee /usr/share/docker-desktop/registry/registry.json

Create the registry.json file during Docker Desktop installation:

Windows

# PowerShell
Start-Process '.\Docker Desktop Installer.exe' -Wait 'install --allowed-org=myorg'

# Command Prompt
"Docker Desktop Installer.exe" install --allowed-org=myorg

macOS

sudo hdiutil attach Docker.dmg
sudo /Volumes/Docker/Docker.app/Contents/MacOS/install --allowed-org=myorg
sudo hdiutil detach /Volumes/Docker

Method precedence

When multiple configuration methods exist on the same system, Docker Desktop uses this precedence order:

  1. Registry key (Windows only)
  2. Configuration profiles (macOS only)
  3. plist file (macOS only)
  4. registry.json file
Important

Docker Desktop version 4.36 and later supports multiple organizations in a single configuration. Earlier versions (4.35 and below) fail silently when multiple organizations are specified.

Troubleshoot sign-in enforcement

If sign-in enforcement doesn't work:

  • Verify file locations and permissions
  • Check that organization names use lowercase letters
  • Restart Docker Desktop or reboot the system
  • Confirm users are members of the specified organizations
  • Update Docker Desktop to the latest version